Please enable JavaScript.
Coggle requires JavaScript to display documents.
Lecture 13: Business Case (Risk Response Prioritisation (Exceptions to…
Lecture 13: Business Case
Risk Response Prioritisation
Quick Wins
Clear benefits, highly effective and efficient
Less likely to be challenged, gets majority support
Reflect 80/20
Business Case
Benefit realisation that needs
justification
Likely to be challenged
Compete w other priorities
Defer
Benefits not achieved w/o reasonable efficiency/cost
Very likely challenged
Low in cost ratio
Exceptions to prioritisation:
Critical Infrastructure
Regulations
Intl and widely accepted guidelines/best prac
Affects ppl safety/lives
Business case structure
Elements of biz case
Introduction and overview
Set context to target audience
Provide environmental scan
Assumptions and methodologies
Relativity and changes
Methodologies:
Return on Investment (ROI)
ROI = (gain - cost)/cost
Does not include time perspective
Poor measurement method in sec investment since no tangible returns
ROI vs ROSI
ROI good to measure return on
general
investment
Eff sec prevent exposure from incident = no tangible benefit eg profit
ROSI focuses on avoidable losses by investing in control/sec tech
Cost Benefit Analysis (CBA)
Net benefit = benefit - cost
Common to compare and select best solution
allows flexibilty of qual and semi-qual calculation
Business Impact Analysis (BIA)
Annual Loss Event = (exposure x probability)/annual duration
Measures potential loss due to risk event
Provides guidance on prudent amt to spend to prevent risk event
Projected results
Develop scenarios taking into acct:
Diff values for same set of var
Diff solutions
Current situation
Highlight key metric for each scenario for comparison
Provide analysis of each scenario including pros and cons
Risk analysis
Projected result may not reflect future
For credibility, sensitivity and risk analysis should be performed
Sensitivity analysis seek to understand
impact
of changes in variables involved
Risk analysis highlights risk w solution
Proper sensitivity and risk analysis ensure report remains relevant and current despite dynamic nature of various variables (within tolerance)
Conclusion and recommendations
State recommendation to addr initial subj and purpose
Biz case shouldnt be lengthy
Has biz case
justified
or
rationalised
actions to take?
Clear subject and purpose
The subject - what it is all about?
The wish-list - what approvals/support/decisions needed?